Attachment 17684 Details for Bug 15240 – Advisory v3

Advisory v3

CVE-2022-38023-RejectMd5Clients-v03.txt (text/plain), 5.18 KB, created by Andrew Bartlett on 2022-12-12 23:22:01 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2022-12-12 23:22:01 UTC

Size: 5.18 KB

patch

obsolete

>===========================================================
>== Subject:     RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided
>==
>== CVE ID#:     CVE-2022-38023
>==
>== Versions:    All versions of Samba
>==
>== Summary:     The "RC4" protection of the NetLogon Secure channel uses the
>==              same algorithms as rc4-hmac cryptography in Kerberos,
>==              and so must also be assumed to be weak.
>===========================================================
>
>===========
>Description
>===========
>
>This is Samba's response to Microsoft's CVE-2022-38023[1][2].
>
>Following RFC8429 and as has been published for CVE-2022-3938, rc4-hmac
>(also known as arcfour-hmac-md5) cryptography in Kerberos is weak,
>then it follows that the RC4 mode in the NETLOGON Secure Channel
>(DCE/RPC bulk encryption) is also weak, as they are the same cipher
>(essentially).
>
>The weakness on NetLogon Secure channel is that the secure checksum is
>calculated as HMAC-MD5(MD5(DATA),KEY), meaning that an active attacker
>knowing the plaintext data could create a different chosen DATA, with
>the same MD5 checksum, and subsitute it into the data stream without
>being detected.
>
>Therefore we must disable this cipher.  
>
>In this patch we achive this by setting 'reject md5 clients = yes' and
>'reject md5 servers = yes' by default.
>
>Thankfully this cipher is unused by most modern member servers,
>including Windows 8 / Windows 2008R2 and later, however public
>documentation suggests[1] that NetApp ONTAP still uses RC4 (HMAC-MD5).
>
>The following smb.conf:
>
>   reject md5 clients = yes
>   server reject md5 schannel:triceratops$ = no
>   server reject md5 schannel:greywacke$ = no
>
>will allow only "triceratops$" and "greywacke$" to use RC4 (HMAC-MD5)
>crypography.
>
>Additionally we extend default to requiring a full encrypted NETLOGON
>secure channel.
>
>Encryption of the secure channel not only provides overall privacy
>(particularly against attacks on the individually encrypted elements
>within the NETLOGON protocol), it also strengthens the RC4 (HMAC-MD5)
>cipher.
>
>Clients that do not support NETLOGON Secure Channel encryption can be
>exempted in a similar way.  
>
>The following smb.conf:
>
>   server schannel require seal = yes
>   server schannel require seal:triceratops$ = no
>   server schannel require seal:greywacke$ = no
>
>will allow only "triceratops$" and "greywacke$" to avoid encrypted
>schannel and operate with signing-only schannel.
>
>==================
>Patch Availability
>==================
>
>Patches addressing both these issues have been posted to:
>
>    https://www.samba.org/samba/security/
>
>Additionally, Samba $VERSIONS have been issued
>as security releases to correct the defect.  Samba administrators are
>advised to upgrade to these releases or apply the patch as soon
>as possible.
>
>==================
>CVSSv3 calculation
>==================
>
>CVSS:v3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1)
>
>Despite this value, please note that this attack requires:
> * that the connection not be encrypted (which is the default)
> * that an active attacker obtains a plaintext value of a packet in the NetLogon Secure Channel
> * and can find another plaintext value with the same MD5 checksum and
>   replace it undetected.
>
>====================
>Workaround and notes
>====================
>
>Setting 'reject md5 clients' (on DCs) and 'reject md5 servers' (on
>member servers) will avoid this vulnerable protocol.  Regarding the
>encryption requirement, thankfully Samba addressed SamLogon NTLM
>session key disclosure issue in CVE-2016-2111.
>
>On the AD DC with JSON audit logs, we can find domain member servers
>that use AES (HMAC-SHA256) vs RC4 (HMAC-MD5) via the passwordType
>element.
>
>Note that un-important keys have been dropped for brevity:
>
>{
>  "type": "Authentication",
>  "Authentication": {
>    "remoteAddress": "ipv4:10.53.57.29:37589",
>    "serviceDescription": "NETLOGON",
>    "authDescription": "ServerAuthenticate",
>    "clientAccount": "LOCALADMEMBER$",
>    "becameSid": "S-1-5-21-626540054-1513162547-2555510494-1114",
>    "passwordType": "HMAC-SHA256"
>  }
>}
>
>{
>  "type": "Authentication",
>  "Authentication": {
>    "remoteAddress": "ipv4:10.53.57.11:37767",
>    "serviceDescription": "NETLOGON",
>    "authDescription": "ServerAuthenticate",
>    "clientAccount": "samlogontest$",
>    "becameSid": "S-1-5-21-626540054-1513162547-2555510494-1115",
>    "passwordType": "HMAC-MD5"
>  }
>}
>
>==========
>References
>==========
>
>[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023
>[2] https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25
>[3] https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Microsoft_Security_Advisory%3A_CVE-2020-1472_impact_on_NetApp_appliance_running_CIFS_NFS_utilizing_Netlogon_servers
>
>=======
>Credits
>=======
>
>Microsoft reported this issue at 
>https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023
>
>Patches provided by Stefan Metzmacher of SerNet and the Samba team.
>
>Advisory written by Andrew Bartlett of Catalyst and the Samba Team.
>
>==========================================================
>== Our Code, Our Bugs, Our Responsibility.
>== The Samba Team
>==========================================================
>

Actions: View

Attachments on bug 15240: 17652 | 17671 | 17684 | 17692 | 17693 | 17694 | 17698 | 17705 | 17726 | 17727 | 17728 | 17736